Explore the intricacies of Web Application Firewall (WAF) detection logic in this 40-minute Black Hat conference talk. Delve into the core mechanisms of WAFs, focusing on regular expression-based detection. Analyze the security of six popular open-source WAFs, including OWASP CRS 2,3 - ModSecurity, Comodo WAF, PHPIDS, QuickDefense, and Libinjection. Discover a new Static Application Security Testing (SAST) tool designed to uncover security flaws in regular expression syntax. Learn how to apply a "regex security cheatsheet" to examine rules from popular WAFs and identify logical flaws. Uncover unexpected attack vectors for Cross-Site Scripting and SQL-Injection (MySQL, MSSQL, Oracle) using advanced fuzz testing techniques. Gain insights into clustering and representing attack vectors through look-up tables, useful for both attackers and defenders. Explore over 15 new bypass vectors and understand the potential weaknesses in WAF detection logic, with an indication of more than 300 possible vulnerabilities.
Overview
Syllabus
Web Application Firewalls: Analysis of Detection Logic
Taught by
Black Hat